From 25ecf8ed4b4cbca69a9fa09c27bbd4e5c83fafe3 Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@askmonty.org>
Date: Fri, 26 Feb 2021 13:26:00 +0400
Subject: [PATCH] MDEV-24965 With ALTER USER ...IDENTIFIED BY command, password
 doesn't replaced by asterisks in audit log.

Check for the ALTER USER command added.
---
 mysql-test/suite/plugins/r/server_audit.result | 3 +++
 mysql-test/suite/plugins/t/server_audit.test   | 1 +
 plugin/server_audit/server_audit.c             | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result
index 3fce3346f29..ff22cdff8d6 100644
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@@ -118,6 +118,7 @@ CREATE USER u1 IDENTIFIED BY 'pwd-123';
 GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
 SET PASSWORD FOR u1 = PASSWORD('pwd 098');
 CREATE USER u3 IDENTIFIED BY '';
+ALTER USER u3 IDENTIFIED BY 'pwd-456';
 drop user u1, u2, u3;
 set global server_audit_events='query_ddl';
 create table t1(id int);
@@ -382,6 +383,8 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'ALTER USER u3 IDENTIFIED BY \'pwd-456\'',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
diff --git a/mysql-test/suite/plugins/t/server_audit.test b/mysql-test/suite/plugins/t/server_audit.test
index fa5bd7e1349..6c75c3bf732 100644
--- a/mysql-test/suite/plugins/t/server_audit.test
+++ b/mysql-test/suite/plugins/t/server_audit.test
@@ -95,6 +95,7 @@ CREATE USER u1 IDENTIFIED BY 'pwd-123';
 GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
 SET PASSWORD FOR u1 = PASSWORD('pwd 098');
 CREATE USER u3 IDENTIFIED BY '';
+ALTER USER u3 IDENTIFIED BY 'pwd-456';
 drop user u1, u2, u3;
 
 set global server_audit_events='query_ddl';
diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c
index f6661772df1..9a954365d83 100644
--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@@ -819,6 +819,7 @@ enum sa_keywords
   SQLCOM_DML,
   SQLCOM_GRANT,
   SQLCOM_CREATE_USER,
+  SQLCOM_ALTER_USER,
   SQLCOM_CHANGE_MASTER,
   SQLCOM_CREATE_SERVER,
   SQLCOM_SET_OPTION,
@@ -926,6 +927,7 @@ struct sa_keyword passwd_keywords[]=
 {
   {3, "SET", &password_word, SQLCOM_SET_OPTION},
   {5, "ALTER", &server_word, SQLCOM_ALTER_SERVER},
+  {5, "ALTER", &user_word, SQLCOM_ALTER_USER},
   {5, "GRANT", 0, SQLCOM_GRANT},
   {6, "CREATE", &user_word, SQLCOM_CREATE_USER},
   {6, "CREATE", &server_word, SQLCOM_CREATE_SERVER},
@@ -1845,6 +1847,7 @@ do_log_query:
   {
     case SQLCOM_GRANT:
     case SQLCOM_CREATE_USER:
+    case SQLCOM_ALTER_USER:
       csize+= escape_string_hide_passwords(query, query_len,
                                            uh_buffer, uh_buffer_size,
                                            "IDENTIFIED", 10, "BY", 2, 0);